Granting a role without ADMIN
OPTION is supposed to prevent the grantee from adding
or removing members from the granted role, but this
restriction was easily bypassed by doing SET ROLE first. The security impact is
mostly that a role member can revoke the access of others,
contrary to the wishes of his grantor. Unapproved role
member additions are a lesser concern, since an
uncooperative role member could provide most of his rights
to others anyway by creating views or SECURITY DEFINER functions.
(CVE-2014-0060)

The primary role of PL validator functions is to be
called implicitly during CREATE
FUNCTION, but they are also normal SQL functions that
a user can call explicitly. Calling a validator on a
function actually written in some other language was not
checked for and could be exploited for privilege-escalation
purposes. The fix involves adding a call to a
privilege-checking function in each validator function.
Non-core procedural languages will also need to make this
change to their own validator functions, if any.
(CVE-2014-0061)

If the name lookups come to different conclusions due to
concurrent activity, we might perform some parts of the DDL
on a different table than other parts. At least in the case
of CREATE INDEX, this can be used
to cause the permissions checks to be performed against a
different table than the index creation, allowing for a
privilege escalation attack. (CVE-2014-0062)

Prevent buffer overrun with long datetime strings (Noah
Misch)

The MAXDATELEN constant was too
small for the longest possible value of type interval, allowing a buffer overrun in
interval_out(). Although the
datetime input functions were more careful about avoiding
buffer overrun, the limit was short enough to cause them to
reject some valid inputs, such as input containing a very
long timezone name. The ecpg library contained these
vulnerabilities along with some of its own.
(CVE-2014-0063)

Several functions, mostly type input functions,
calculated an allocation size without checking for
overflow. If overflow did occur, a too-small buffer would
be allocated and then written past. (CVE-2014-0064)

Use strlcpy() and related
functions to provide a clear guarantee that fixed-size
buffers are not overrun. Unlike the preceding items, it is
unclear whether these cases really represent live issues,
since in most cases there appear to be previous constraints
on the size of the input string. Nonetheless it seems
prudent to silence all Coverity warnings of this type.
(CVE-2014-0065)

Avoid crashing if crypt()
returns NULL (Honza Horak, Bruce Momjian)

There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One
practical case in which this could be an issue is if
libc is configured to
refuse to execute unapproved hashing algorithms (e.g.,
"FIPS mode").
(CVE-2014-0066)

Since the temporary server started by make check uses "trust" authentication, another user on the
same machine could connect to it as database superuser, and
then potentially exploit the privileges of the
operating-system user who started the tests. A future
release will probably incorporate changes in the testing
procedure to prevent this risk, but some public discussion
is needed first. So for the moment, just warn people
against using make check when
there are untrusted users on the same machine.
(CVE-2014-0067)

Fix possible mis-replay of WAL records when some
segments of a relation aren't full size (Greg Stark, Tom
Lane)

The WAL update could be applied to the wrong page,
potentially many pages past where it should have been.
Aside from corrupting data, this error has been observed to
result in significant "bloat" of
standby servers compared to their masters, due to updates
being applied far beyond where the end-of-file should have
been. This failure mode does not appear to be a significant
risk during crash recovery, only when initially
synchronizing a standby created from a base backup taken
from a quickly-changing master.

In some cases WAL replay would mistakenly conclude that
the database was already consistent at the start of replay,
thus possibly allowing hot-standby queries before the
database was really consistent. Other symptoms such as
"PANIC: WAL contains references to
invalid pages" were also possible.

The previous coding might attempt to do catalog access
when it shouldn't.

Accept SHIFT_JIS as an encoding
name for locale checking purposes (Tatsuo Ishii)

Fix misbehavior of PQhost() on Windows (Fujii Masao)

It should return localhost if
no host has been specified.

Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)

In particular this fixes an infinite loop that could
occur in 9.2 and up if the server connection was lost
during COPY FROM STDIN. Variants
of that scenario might be possible in older versions, or
with other client applications.

These text files duplicated the main HTML and PDF
documentation formats. The trouble involved in maintaining
them greatly outweighs the likely audience for plain-text
format. Distribution tarballs will still contain files by
these names, but they'll just be stubs directing the reader
to consult the main documentation. The plain-text
INSTALL file will still be
maintained, as there is arguably a use-case for that.

Update time zone data files to tzdata release 2013i for DST law
changes in Jordan and historical changes in Cuba.

In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are
no longer maintained by IANA, and never represented actual
civil timekeeping practice.